removes signature from SigningCommitment

Hugh Cunningham · Hugh Cunningham · commit 0680429684aa · 2024-09-17T12:16:57.000-07:00
our SigningCommitment type includes a signature of the identity of the
participant creating the commitment, the raw signing commitments, and the input
checksum

the signature allows other participants to verify that the commitment was
created by the participant whose identity is included in the SigningCommitment.
this verification takes place before creating a SigningPackage. without this
verification an invalid SigningPackage can be created: the participant identity
with the mismatched signing commitment will be unable to generate a signature
share. the signature therefore allows the signing process to terminate one step
earlier in case a participant generates an invalid commitment.

the multisig Ledger app will not be able to generate this signature without
additional features.

these changes remove the signature from the SigningCommitment struct so that we
will be able to create SigningCommitment instances from raw commitments
generated on Ledger devices.
diff --git a/src/signing_commitment.rs b/src/signing_commitment.rs
@@ -14,7 +14,6 @@ use crate::io;
 use crate::nonces::deterministic_signing_nonces;
 use crate::participant::Identity;
 use crate::participant::Secret;
-use crate::participant::Signature;
 use crate::participant::IDENTITY_LEN;
 use core::borrow::Borrow;
 use core::hash::Hasher;
@@ -26,8 +25,7 @@ extern crate alloc;
 use alloc::vec::Vec;
 
 const NONCE_COMMITMENT_LEN: usize = 32;
-pub const AUTHENTICATED_DATA_LEN: usize = IDENTITY_LEN + NONCE_COMMITMENT_LEN * 2 + CHECKSUM_LEN;
-pub const SIGNING_COMMITMENT_LEN: usize = AUTHENTICATED_DATA_LEN + Signature::BYTE_SIZE;
+pub const SIGNING_COMMITMENT_LEN: usize = IDENTITY_LEN + NONCE_COMMITMENT_LEN * 2 + CHECKSUM_LEN;
 
 #[must_use]
 fn input_checksum<I>(transaction_hash: &[u8], signing_participants: &[I]) -> Checksum
@@ -51,55 +49,32 @@ where
     hasher.finish()
 }
 
-fn authenticated_data(
-    identity: &Identity,
-    raw_commitments: &SigningCommitments,
-    checksum: Checksum,
-) -> Result<[u8; AUTHENTICATED_DATA_LEN], IronfishFrostError> {
-    let mut data = [0u8; AUTHENTICATED_DATA_LEN];
-    let parts = [
-        &identity.serialize()[..],
-        &raw_commitments.hiding().serialize()?,
-        &raw_commitments.binding().serialize()?,
-        &checksum.to_le_bytes(),
-    ];
-    let mut slice = &mut data[..];
-    for part in parts {
-        slice[..part.len()].copy_from_slice(part);
-        slice = &mut slice[part.len()..];
-    }
-    debug_assert_eq!(slice.len(), 0);
-    Ok(data)
-}
-
 #[derive(Clone, PartialEq, Eq, Debug)]
 pub struct SigningCommitment {
     identity: Identity,
     raw_commitments: SigningCommitments,
     /// A checksum of the transaction hash and the signers for a signing operation. Used to quickly
     /// tell if a set of commitments were all generated from the same inputs.
     checksum: Checksum,
-    /// Signature that ensures that `hiding`, `binding`, and `checksum` were generated by the owner
-    /// of `identity`.
-    signature: Signature,
 }
 
 impl SigningCommitment {
-    fn from_raw_parts(
-        identity: Identity,
+    pub fn from_raw<I>(
         raw_commitments: SigningCommitments,
-        checksum: Checksum,
-        signature: Signature,
-    ) -> Result<Self, IronfishFrostError> {
-        let signing_commitment = Self {
+        identity: Identity,
+        transaction_hash: &[u8],
+        signing_participants: &[I],
+    ) -> Result<SigningCommitment, IronfishFrostError>
+    where
+        I: Borrow<Identity>,
+    {
+        let checksum = input_checksum(transaction_hash, signing_participants);
+
+        Ok(SigningCommitment {
             identity,
             raw_commitments,
             checksum,
-            signature,
-        };
-        signing_commitment
-            .verify_authenticity()
-            .map(|_| signing_commitment)
+        })
     }
 
     pub fn from_secrets<I>(
@@ -116,24 +91,13 @@ impl SigningCommitment {
             deterministic_signing_nonces(secret_share, transaction_hash, signing_participants);
         let raw_commitments = *nonces.commitments();
         let checksum = input_checksum(transaction_hash, signing_participants);
-        let authenticated_data = authenticated_data(&identity, &raw_commitments, checksum)?;
-        let signature = participant_secret.sign(&authenticated_data);
         Ok(SigningCommitment {
             identity,
             raw_commitments,
             checksum,
-            signature,
         })
     }
 
-    pub fn verify_authenticity(&self) -> Result<(), IronfishFrostError> {
-        let authenticated_data =
-            authenticated_data(&self.identity, &self.raw_commitments, self.checksum)?;
-        Ok(self
-            .identity
-            .verify_data(&authenticated_data, &self.signature)?)
-    }
-
     pub fn verify_checksum<I>(
         &self,
         transaction_hash: &[u8],
@@ -178,7 +142,6 @@ impl SigningCommitment {
     }
 
     pub fn serialize_into<W: io::Write>(&self, mut writer: W) -> Result<(), IronfishFrostError> {
-        writer.write_all(&self.signature.to_bytes())?;
         writer.write_all(&self.identity.serialize())?;
         writer.write_all(&self.hiding().serialize()?)?;
         writer.write_all(&self.binding().serialize()?)?;
@@ -187,10 +150,6 @@ impl SigningCommitment {
     }
 
     pub fn deserialize_from<R: io::Read>(mut reader: R) -> Result<Self, IronfishFrostError> {
-        let mut signature_bytes = [0u8; Signature::BYTE_SIZE];
-        reader.read_exact(&mut signature_bytes)?;
-        let signature = Signature::from_bytes(&signature_bytes);
-
         let identity = Identity::deserialize_from(&mut reader)?;
 
         let mut hiding = [0u8; 32];
@@ -207,17 +166,19 @@ impl SigningCommitment {
         reader.read_exact(&mut checksum)?;
         let checksum = Checksum::from_le_bytes(checksum);
 
-        Self::from_raw_parts(identity, raw_commitments, checksum, signature)
+        Ok(SigningCommitment {
+            identity,
+            raw_commitments,
+            checksum,
+        })
     }
 }
 
 #[cfg(test)]
 mod tests {
-    use super::authenticated_data;
     use super::SigningCommitment;
     use crate::frost::keys::SigningShare;
     use crate::participant::Secret;
-    use hex_literal::hex;
     use rand::thread_rng;
 
     #[test]
@@ -248,117 +209,6 @@ mod tests {
         assert_eq!(deserialized, commitment);
     }
 
-    #[test]
-    fn deserialization_regression() {
-        let serialization = hex!(
-            "
-            307be5a2c20495d05966fc12b2cee3ea4d44cb3623f92b0f6a391c626fa7708e835
-            26e886448d5ef376c5d09675aed3e711cd3e0df9f6c607604e6a7371a210e725c3a
-            20a22aebc59d856bfbaa48fde8f8ea6fe48ddd978555932c283e760397f78b4b468
-            2f9b70f8baad6d7752f5e25bcbc6b3453d16d92589da722ad13a7390d0057c6aae8
-            363a50e835b89b44bccdd5889ef5a362fa89d841c96e65b34dbe3adf8f71faa041f
-            394ef6b127c4b6b1e43714f32c450e8d3d089b376915acd6500639cad9b202c479e
-            4216e2d4d16cad09b634e01270f4a52707d924fd9834e6206f48f04388ae90bcd63
-            f901369c6034760245574a2d3068f52b617d33ca1a417ea391d3785b542f5
-        "
-        );
-        let deserialized = SigningCommitment::deserialize_from(&serialization[..])
-            .expect("deserialization failed");
-        assert_eq!(serialization, deserialized.serialize());
-    }
-
-    #[test]
-    fn test_invalid_deserialization() {
-        let mut rng = thread_rng();
-
-        let secret = Secret::random(&mut rng);
-        let signing_share = SigningShare::default();
-        let signing_participants = [
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-        ];
-
-        let commitment = SigningCommitment::from_secrets(
-            &secret,
-            &signing_share,
-            b"transaction hash",
-            &signing_participants,
-        )
-        .expect("commitment creation failed");
-
-        let serialized = commitment.serialize();
-
-        for index in 0..serialized.len() {
-            let mut invalid_serialization = serialized;
-            invalid_serialization[index] ^= 0xff;
-            assert!(SigningCommitment::deserialize_from(&invalid_serialization[..]).is_err());
-        }
-    }
-
-    #[test]
-    fn test_valid_signature() {
-        let mut rng = thread_rng();
-
-        let secret = Secret::random(&mut rng);
-        let signing_share = SigningShare::default();
-        let signing_participants = [
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-        ];
-
-        let commitment = SigningCommitment::from_secrets(
-            &secret,
-            &signing_share,
-            b"transaction hash",
-            &signing_participants,
-        )
-        .expect("commitment creation failed");
-
-        assert!(commitment.verify_authenticity().is_ok());
-    }
-
-    #[test]
-    fn test_invalid_signature() {
-        let mut rng = thread_rng();
-
-        let secret = Secret::random(&mut rng);
-        let signing_share = SigningShare::default();
-        let signing_participants = [
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-            Secret::random(&mut rng).to_identity(),
-        ];
-
-        let commitment = SigningCommitment::from_secrets(
-            &secret,
-            &signing_share,
-            b"transaction hash",
-            &signing_participants,
-        )
-        .expect("commitment creation failed");
-
-        let unrelated_secret = Secret::random(&mut rng);
-        let invalid_signature = unrelated_secret.sign(
-            &authenticated_data(
-                commitment.identity(),
-                commitment.raw_commitments(),
-                commitment.checksum(),
-            )
-            .expect("authenticated data failed to return"),
-        );
-
-        let invalid_commitment = SigningCommitment {
-            identity: commitment.identity().clone(),
-            raw_commitments: *commitment.raw_commitments(),
-            checksum: commitment.checksum(),
-            signature: invalid_signature,
-        };
-
-        assert!(invalid_commitment.verify_authenticity().is_err());
-    }
-
     #[test]
     fn test_checksum_stability() {
         let mut rng = thread_rng();
